Linux malware Kobalos steals credentials using hacked OpenSSH software
A trojanized version of OpenSSH software is being used to steal SSH credentials from high performance computing (HPC) clusters, reports security firm ESET. The Linux malware has been dubbed Kobalos, and is described as "small, yet complex" and "tricksy".
Despite its diminutive size, the Kobalos backdoor is hitting some major targets including government systems in the US, universities in Europe, and a major ISP in Asia. Security experts report that while the multiplatform backdoor works on Linux, FreeBSD and Solaris, "there are also artifacts indicating that variants of this malware may exist for AIX and even Windows".
- Sudo vulnerability could give attackers root access on Linux systems
- 0patch fixes major Windows Installer bug before Microsoft
- Security researchers develop unofficial patch for drive-corrupting Windows 10 NTFS bug
Researchers at ESET reverse engineered Kobalos (named after a small, mischievous creature in Greek mythology) and were then able to scan the internet for victims of the malware. For the most part, it was major systems and supercomputers that were targeted, but there were also incidents involving private servers.
The purpose and perpetrator of Kobalos is not known at the moment
Writing about the backdoor, ESET says:
Perhaps unrelated to the events involving Kobalos, there were multiple security incidents involving HPC clusters in the past year. Some of them hit the press and details were made public in an advisory from the European Grid Infrastructure (EGI) CSIRT about cases where cryptocurrency miners were deployed. The EGI CSIRT advisory shows compromised servers in Poland, Canada and China were used in these attacks. Press articles also mention Archer, a breached UK-based supercomputer where SSH credentials were stolen, but does not contain details about which malware was used, if any.
We've worked with the CERN Computer Security Team and other organizations involved in mitigating attacks on scientific research networks. According to them, the usage of the Kobalos malware predates the other incidents. While we know Kobalos compromised large HPC clusters, no one could link the Kobalos incidents to the use of cryptocurrency malware. The malware and the techniques described in these other attacks are different. We also know Kobalos is not exclusively targeting HPCs: we found that a large Asian ISP, a North American endpoint security vendor (not us), as well as some personal servers were also compromised by this threat.
Although the Kobalos codebase is very small, it includes the code for running a command and control server. ESET notes: "Any server compromised by Kobalos can be turned into a C&C server by the operators sending a single command. As the C&C server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C&C server".
To mitigate against attacks, the security firm recommends that users enable two-factor authentication for connecting to SSH servers. ESET says that its tools detect the malware as Linux/Kobalos or Linux/Agent.IV, while the SSH credential stealer is detected as Linux/SSHDoor.EV, Linux/SSHDoor.FB or Linux/SSHDoor.FC
You can read ESET's full white paper, A Wild Kobalos Appears, here.